# IT:AD:Azure:Security:Role:Administration Roles #

<callout type="Navigation" class="small">

* [[../|(UP)]]
{{indexmenu>.#2|nsort tsort}}
* See also:
  * [[IT/AD/Azure/Security/Role/BuiltIn/]]


</callout>


<panel title="Summary">

In Azure, for legacy and administration reasons, there are 3 *Administrator Roles* (which are not the same as [[IT/AD/Azure/Security/Role/BuiltIn/|BuiltIn Roles]] ((https://azure.microsoft.com/en-us/documentation/articles/role-based-access-built-in-roles/)) ):

* [[IT/AD/Azure/Security/Role/Administration/Account Administrator/]]
* [[IT/AD/Azure/Security/Role/Administration/Service Administrator/]]
* [[IT/AD/Azure/Security/Role/Administration/Service Co-Administrator/]]


<uml>
!includeurl http://skysigal.com/_media/resources/configuration/plantuml/minimalist.txt

class AA
class SA
class CA

AA -- SA : manages
SA *-- CA : manages
AA *-- CA : manages 
</uml>

<span important>
It's worth remembering that an [[IT/AD/Azure/Account/]] must be an [[IT/AD/Azure/Security/Role/Administration/|Administrator Role]] or **will be refused access the [[IT/AD/Azure/Portal/Classic Portal/|Classic Portal]]**.  
This fact can affect Users of the [[IT/AD/Azure/Portal/Service Portal/|Service Portal]] who are given *Owner/Contributor/etc* [[IT/AD/Azure/Security/Role/BuiltIn/|BuiltIn Roles]] without considering this impact...
</span>


</panel>


## Notes ##


### The Issue with Legacy Administrator Roles
{{page>IT/AD/Azure/Security/Role/Why move to BuiltIn Roles#Summary&noheader&nofooter}}